Ethical Hacking News
Hackers are targeting technology, manufacturing, and financial organizations in a new campaign that combines device code phishing and voice phishing to abuse Microsoft Entra accounts. Threat actors use legitimate OAuth client IDs and the device authorization flow to trick victims into authenticating, gaining access to corporate data for extortion.
Hackers are targeting Microsoft Entra accounts using device code phishing and vishing attacks.The attackers use legitimate OAuth client IDs and the device authorization flow to trick victims into authenticating.The attackers can retrieve refresh tokens and access tokens, allowing them to access the victim's account without multi-factor authentication.The threat actors can now authenticate as the user in Microsoft Entra and access SaaS applications, enabling the theft of corporate data.KnowBe4 recommends blocking malicious domains and sender addresses, auditing OAuth app consents, and reviewing Azure AD sign-in logs.Device code phishing is not new and has been used by multiple threat actors in the past.
Hackers are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.
Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.
Once the OAuth app is connected to an account, threat actors can use the device_code to retrieve the targeted employee's refresh token, which can then be exchanged for access tokens. Those access tokens allow attackers to access the employee's Microsoft services without having to complete multi-factor authentication again, since MFA was already completed during the initial login.
The threat actors can now authenticate as the user in Microsoft Entra and access SaaS applications configured with SSO (single sign-on) in the victim's tenant, enabling the theft of corporate data for extortion. KnowBe4 Threat Labs also discovered a recent campaign that uses traditional phishing emails and websites to deliver device code attacks.
KnowBe4 recommends that Microsoft 365 account holders block the malicious domains and sender addresses, audit and revoke suspicious OAuth app consents, and review Azure AD sign-in logs for device code authentication events. Administrators are also recommended to turn off the device code flow option when not required and to enforce conditional access policies.
Device code phishing is not new, with multiple threat actors having used this method to breach accounts in the past. In February 2025, the Microsoft Threat Intelligence Center warned that Russian hackers were targeting Microsoft 365 accounts using device code phishing. In December, ProofPoint reported similar attacks that use a similar phishing kit seen by KnowBe4 to breach Microsoft accounts.
The future of IT infrastructure is here. Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use. Get the guide.
Related Articles:
New ConsentFix attack hijacks Microsoft accounts via Azure CLI
Microsoft 365 accounts targeted in wave of OAuth phishing attacks
Germany warns of Signal account hijacking targeting senior figures
Fortinet confirms critical FortiCloud auth bypass not fully patched
Betterment confirms data breach after wave of crypto scam emails
Account Takeover
Authentication Bypass
Bypass
MFA
Microsoft 365
OAuth
OAuth Tokens
Phishing
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Abuse-Microsoft-Entra-Accounts-Using-Device-Code-Vishing-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/
https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
https://www.csoonline.com/article/4110419/hackers-exploit-microsoft-oauth-device-codes-to-hijack-enterprise-accounts.html
Published: Thu Feb 19 12:16:23 2026 by llama3.2 3B Q4_K_M
